washingtonpost.com: Good afternoon everyone, welcome to today's Conversation with Cisco. Today we have with us Don Weiner. Today we hope to learn how the Cisco secure Unified Communications solution can help federal agencies and departments seamlessly converge voice, video and data networks into a single, powerful, secure network that is ready to meet this challenge.

Welcome Don, let's get started....

Don Weiner, Cisco: Thanks, Bobby, it's great to be here.

_______________________

Washington, D.C.: What does it take to enable encryption on a Cisco telephony system?

Don Weiner, Cisco: A minimum of two eTokens is required, with a list price of $300 each. Two eTokens are required so you will have a backup if one fails, but you can purchase as many as you wish. You register the eTokens once in the administrator client software and from then on need just a single eToken to make changes to the Certificate Trust List – a list of trusted servers in the Cisco Communications Manager.

_______________________

Houston, Tex.: How big a threat is SPIT to enterprise VoIP systems?

Don Weiner, Cisco: SPIT, spam over Internet telephony, is a theoretical threat where malicious users send huge numbers of voice “calls” like they would send huge numbers of email messages. These attacks would be launched against phones rather than email servers. This has not been a real problem since enterprise telephony systems are not open to the Internet. IP telephony does not mean opening your system up to unknown sources. The IP components, and sources and destinations, are on the controlled enterprise IP network. Using standard IP security mechanisms like firewalls and encrypted VPN tunnels, the telephony system can be protected against attacks that may be present on the Internet. Future protection, which can create the possibility of opening up to more IP destinations outside the enterprise, may come in the form of technologies like wide packet inspection and in authenticated identity found in RFC 4474.

_______________________

Arlington, Va.: Is toll fraud as big a threat in VoIP as in my legacy PBX?

Don Weiner, Cisco: In a word, yes. Toll fraud and telabuse are real threats to any telephony system. Mechanisms must be available to prevent callers from transferring out of voice mail systems to world-wide destinations (an early form of toll fraud). Mechanisms must be available to restrict users from forwarding their phones to just anywhere. Users must be educated, through regular sessions (at least annually is recommended), on social engineering techniques designed to trick a user into revealing privileged information or enabling toll fraud (for example, transfer a caller to a remote destination). These sessions can also be used to reinforce policies regarding telabuse – the deliberate abuse of enterprise telephony services for one’s own gain. A common example of telabuse is an employee forwarding their business phone to their home phone, then having friends in remote locations call in on an 800 number and select their business extension from the auto-attendant. The call completes and is billed to the 800 number, not to the caller. Remote access/direct inward system access (DISA) was a useable feature in PBXs that allowed users to dial into the PBX, enter a code, then dial out from the PBX. This could be done from remote locations via an 800 number and was designed to allow users to make business-related calls from remote locations without having to pay the toll charge. The problem was that these numbers were heavily targeted by hackers, and once a DISA code was hacked, thousands of dollars in long distance charges could be incurred in a very short amount of time. The previous solution was to issue calling cards to users that had this need, as the calling cards carried a lower liability if they were stolen or compromised. Today, VPN access provides stronger authentication and encryption capabilities than DISA ever did and is commonly used to enable remote access to telephony services.

_______________________

Atlanta, Ga.: What security threats do I need to look out for?

Don Weiner, Cisco: This is an ever-changing list. In the past, areas of concern included physical access restrictions to switch rooms and wiring closets, toll fraud/telabuse, modems for remote maintenance, remote access/direct inward system access (DISA), and social engineering. With current PBXs you have all of those plus IP management interfaces, IP trunk cards, IP phone gateways, IP adjunct interfaces, IP call control interfaces – basically anything with a network connection. With IP telephony you add on network-impacting things like denial of service (DoS) attacks and man-in-the-middle attacks. With Cisco Unified Communications you have similar areas of concern but generally are talking about fewer ports to protect. IP phones communicate directly with call control servers for signaling. Phones and gateways communicate directly. There are no intermediary devices or cabinets required like those found in some other vendor offerings. This doesn’t mean that those ports shouldn’t be protected, but it does mean fewer battlefronts. The network threats should be addressed as a part of general network security. Chances are there is data traversing the network that is as sensitive as voice calls, or perhaps more so. The advantage of a converged network is that security mechanisms implemented can benefit all methods of communication – voice, email, video, etc. – rather than requiring separate policies and provisioning for each network.

_______________________

Washington, D.C.: What do I need to add to my VoIP system to secure it?

Don Weiner, Cisco: There is no one thing that you can administer or deploy that is going to secure your system. Security must be provided at all levels, from infrastructure components to server software to endpoint capabilities. Cisco Unified Communications solutions utilize numerous methods – Cisco Security Agent intrusion prevention software on servers, infrastructure capabilities such as DHCP snooping, Dynamic ARP inspection and IP Sourceguard, secure administration interfaces, signed firmware images, denying access to the voice VLAN from the data port on IP phones, authentication of endpoints based on X509v3 digital certificates, and much more. Security in depth is required, but in most cases it also helps to secure non-voice traffic on your network, maximizing your investment. You also need to address telephony administration items such as trunk-to-trunk transfers, tiered calling permissions, restricting calling permissions on voicemail and IVR ports, etc. and end-user educational items such as social engineering.

_______________________

Boston, Mass: What offerings does Cisco have to assist with the security of my UC architecture?

Don Weiner, Cisco: Cisco Advanced Services offers 4 service components for UC Security:
1) Cisco Unified Communications Security Policy and Procedure Review
2) Cisco Unified Communications System Security Design Review
3) Cisco Unified Communications Network Security Design Review
4) Cisco Unified Communications Vulnerability Test

_______________________

Washington, D.C.: Can Cisco assess my organization’s ability to detect and respond to threats on the UC systems, and validate voice security policy and procedures?

Don Weiner, Cisco: Yes, with the Cisco UC Vulnerability Test service Cisco security engineers test for vulnerabilities with your Cisco Unified Communications infrastructure.

_______________________

Raleigh, N.C.: What are the some network components analyzed during a Cisco UC Network Security Design Review?

Don Weiner, Cisco: Voice gateways
Remote-access devices
Intrusion detection systems
Endpoint security
Firewalls
Routers and switches
Security management systems

_______________________

San Diego, Calif.: What is a Unified Communications System Security Design Review?

Don Weiner, Cisco: During a UC System Security Design Review Cisco voice security engineers review and analyze critical UC systems such a Cisco Communications Manager, Cisco IP phones, and Cisco Unity software. The Cisco team identifies vulnerabilities and provides you with recommendations to enhance protection against unauthorized access, identify spoofing, toll fraud, and application layer threats.

_______________________

Denver, CO: Does Cisco have a service that will perform an in-depth review of my organization’s Cisco UC security policies and operational procedures?

Don Weiner, Cisco: Yes, Cisco’s UC Security Policy and Procedure Review.

_______________________

Washington, D.C.: How does a separate voice VLAN protect the telephone equipment?

Don Weiner, Cisco: By itself it does very little to nothing to protect endpoints. The separate VLAN means that the traffic is logically separated and access rules can be more easily administered. Traffic between the voice VLANs and other VLANs can be regulated using access control lists or firewall solutions. Generally the voice VLAN will use RFC 1918 IP address ranges (non-routable on the Internet) which can make securing those subnets easier but also offers little inherent protection. With separate VLANs voice traffic will be on a separate broadcast domain so broadcasts on the data network should not affect the voice network, but mitigating procedures such as storm-control should still be taken to limit broadcast and multicast traffic from becoming an issue on any network. In summary, separate voice VLANs are a best-practice but offer little to nothing in the way of security without other mechanisms in the network.

_______________________

Richmond, Va: To avoid security issues we are planning on a physically separate network to carry voice traffic. This will also give us bandwidth dedicated to voice so removes QoS requirements. Why does Cisco not recommend this approach?

Don Weiner, Cisco: Actually, neither the QoS nor the security statements are true. Over-provisioning of bandwidth does not alleviate QoS requirements for a number of reasons, with one primary reason related to security. If a worm, virus, or denial of service attack were to affect the voice network, bandwidth can easily be saturated. QoS prioritizes voice traffic and guarantees a certain amount of bandwidth to voice signaling so even a DoS attack will not affect your telephony system if properly configured. Cisco has done tests where bandwidth has been saturated on a network to the point where pings will fail, yet the Cisco CallManager solution has performed perfectly. That is the result of proper QoS administration. Physically separating networks also does not mean an avoidance of security concerns. Viruses, worms, and DoS attacks are possibilities in the voice network – physically separating the network does not alleviate that concern. IP spoofing, man-in-the-middle attacks, etc. are still possibilities with a physically separated network. Add to that the inconvenience and expense of separate Ethernet ports for phones and PCs, separate security devices for the data and the voice networks, etc. and a separate network is very unattractive. Using virtual networks (VLANs) to logically separate voice and data traffic, rather than a full physical separation, has much more merit and actually makes implementation of security policies and appliances easier and much more cost effective. Can Cisco UC solutions operate in a physically separated network? Yes. Do we recommend this approach? No.

_______________________

Seattle, Wash.: What is the simplest telephony security vulnerability you have heard of?

Don Weiner, Cisco: Off-hand I would say eavesdropping on touch tones (DTMF) played over a speakerphone. Someone nearby hears you input your credit card or PIN information and is able to translate the tones into digits. It’s a very simple, and old, method of acquiring private data. Note that Cisco phones do not play DTMF over the speakerphone – just a generic tone to confirm a button was pressed, but not identifying the digit.

_______________________

Washington, D.C.: Has Cisco gone through any independent testing of VoIP security?

Don Weiner, Cisco: Yes. There have been several tests, the two most noteworthy being the Miercom test in 2004 and ongoing US Government testing since 2004. In March 2004 Miercom (www.miercom.com) invited the top five IP-PBX vendors to their Princeton, New Jersey office for a week-long security evaluation and Cisco responded. Miercom had two of their own lab personnel onsite and sub-contracted four professional hackers to spend the week trying to attack the system. The hackers accessed the system via the public Internet and launched their attacks from various Linux, Unix and Windows machines set up in the Miercom lab. The two Miercom lab engineers were there to help facilitate the hackers and do anything that required hands-on access (that is, connecting cables, configuring the hacker machines, etc.). Throughout the testing the Cisco telephony solution proved impervious to the hacker’s attempts and received the prestigious “secure” rating from Miercom. No other vendor received that rating.

The US Government requires certification of telephony equipment before it can be used by Department of Defense users. This testing takes several weeks (usually 6) to complete and part of this certification is exhaustive Information Assurance (IA) testing designed to identify security vulnerabilities. Test results are reviewed by the Defense Information Systems Network Security Accreditation Working Group (DSAWG) and systems under test are passed or failed based on how they fare in the IA testing. Another part of testing floods the network with traffic and ensures the telephony system remains unaffected. Systems must be able to meet a 99.999% availability level at all times. Cisco has successfully passed all requirements in every version of CallManager submitted for testing and, because certification is based on software version, continues to submit new versions for testing.

_______________________

Atlanta, Ga.: Do VoIP calls need to be encrypted?

Don Weiner, Cisco: Good question. This has been a common perception but the answer really depends on your business needs. Are your current calls encrypted? If on a legacy PBX, then no, and it is easy to tap into an existing phone line anywhere between the phone and the PBX cabinet and eavesdrop. Is your email encrypted end-to-end? Chances are that some information in email messages is more sensitive than voice calls. The perception that VoIP calls are easy to eavesdrop has sometimes been promoted when that is not really the case. The nature of IP and switched Ethernet is that packets and frames are sent to the destination only, not copied to everyone. There are hacking tools that compromise the integrity of your network and allow “man in the middle” attacks, meaning they intercept all traffic. This kind of attack affects all LAN traffic, not just voice, and is only possible on the compromised subnet. The good news is that attacks like this are easy to stop in Cisco infrastructure equipment through the use of features like DHCP Snooping, IP Source Guard, and Dynamic ARP Inspection.

Back to encryption. As any security expert will tell you, encryption without authentication is essentially meaningless. You actually need the security triad – Authentication, Integrity, and Confidentiality – to make encryption mean anything. Cisco provides all of these in our Cisco Unified Communications Manager solution. Authentication is provided by the use of digital certificates on our phones. The certificates are downloaded from the Cisco Communications Manager or a Customer Certificate Authority and generate their own public and private keys. These are used for authentication to the Communications Manager application. Signaling is encrypted using TLS, and the voice traffic (or bearer traffic) is encrypted via sRTP. Firmware and configuration files are digitally signed for integrity, and configuration files encrypted when encryption is enabled on the system.

_______________________

Austin, Tex.: Where should I enable encryption on my telephony system?

Don Weiner, Cisco: First, the use of encryption should be based on business need, not on any perception that IP telephony is inherently vulnerable to interception (it is not). However, if you decide that encryption is required, you will probably want to encrypt everything. Cisco is somewhat unique in the industry in that we support encryption to all destinations – phones, gateways, and even to our Cisco Unity and Cisco Unity Connection voicemail servers. The voice messaging system would be a likely candidate for eavesdropping because it has such a high volume of traffic. Cisco even goes a step further and can encrypt the audio files stored on the server as voicemail messages. Voicemail messages can even be sent with an expiration date. The messages are encrypted using a digital certificate and when the certificate expires the message cannot be heard.

_______________________

Boston, Mass: How long before VoIP is as secure as my PBX?

Don Weiner, Cisco: Definitely a matter of opinion. First, it is truly easy to eavesdrop on a TDM conversation. From technician butt sets to a ‘Mr Microphone’ with alligator clips to test equipment, there is a way to tap into any PBX phone run. Add in the cordless phones in use that can be intercepted by baby monitors and other radio spectrum monitoring equipment, and the existing systems leave a lot to be desired when it comes to security. In addition there are very few, or no, recent PBX versions without an IP interface. These interfaces are used for administrator access, voicemail connectivity, PBX networking and other purposes. The bolt-on approach to these interfaces frequently leaves security vulnerabilities, some of which could take down the entire PBX – analog phones, digital phones, and IP connectivity. I believe current Cisco IP telephony solutions are inherently more secure than hybrid systems. Given the additional security mechanisms built into the Cisco infrastructure and appliances now available, IP telephony takes voice security and availability to a new level.

_______________________

Washington, D.C.: What is Cisco Lifecycle Services for Unified Communications?

Don Weiner, Cisco: Cisco Lifecycle Services is the methodology Cisco uses for deployment of Unified Communications (UC) services and are based on years of successful UC deployments. The Cisco Lifecycle Services approach defines the minimum set of activities needed to ensure successful deployment and operation of Unified Communications technologies and optimize their performance throughout the project lifecycle. These services use the best practices and lessons learned that where common to all UC deployments despite complexity, scale of project, difficult technology, and geographical issues. The Cisco Lifecycle Services give a common framework for any deployment and have been found to shorten deployment time, which leads to increased revenue and increased productivity for the customer.

Washington, D.C.: Why should I care about services around the Unified Communications products?

Don Weiner, Cisco: Because good planning and design avoid unnecessary costs. We have found that customers that fail to adequately prepare for UC prior to implementation could be caught off guard with added costs resulting in budget overruns. Applying best practices learned from early adopters of Unified Communications provides guidelines for a successful migration.

_______________________

washingtonpost.com: It looks like we are just about out of time here. Don, thank you for your time and answering our questions.

Don Weiner, Cisco: You're welcome, Bobby. It was a pleasure to be here. If our audience has any more questions, they can visit our website at cisco.com/go/fedunified

_______________________